The Schwartz Report

Did Microsoft Cross the Line in Searching Hotmail Account for Employee Theft?

A former Microsoft employee was arrested in Seattle earlier this week after the company searched his Hotmail account and found evidence he was allegedly leaking information and code to a blogger who ended up illegally selling pirated software.

Alex Kibkalo, a former Microsoft architect, is accused of stealing trade secrets and leaking Windows 8 code to an unnamed French blogger while working for Microsoft. Kibkalo, a Russian national who also has worked for Microsoft in Lebanon, also allegedly bragged about breaking into the Redmond campus and stealing the Microsoft Activation Server Software Development Kit, a proprietary solution aimed at preventing unauthorized distribution of the company's software and licenses, SeatlePIreported Thursday.

The move forced Microsoft to admit it had scanned a user account on its Hotmail service to obtain evidence. This comes at a time when many customers lack trust that Microsoft and others are taking enough measures to ensure their privacy of information in the services. Revelations of the National Security Agency (NSA) surveillance efforts by Edward Snowden and accusations that Microsoft and others were cooperating with the NSA has heightened those fears, despite efforts by the players involved to ensure such cooperation is limited to rare instances where there are court orders.

In this case, Kibkalo made it quite easy for Microsoft to discover his alleged acts. One must wonder why he or the blogger would use the company's e-mail service to communicate. Putting that aside, Microsoft accessed the e-mails without a court order because apparently the company legally didn't need a court order to search its own service. But the company did obtain court orders for other aspects of the investigation, said Microsoft Deputy Counsel John Frank, in a blog post published last night.

Frank justified Microsoft's decision to access the e-mails in its Hotmail service and it appears Microsoft didn't violate any laws or its own policies, though some question the wisdom of its actions. "We took extraordinary actions based on the specific circumstances," Frank said. "We received information that indicated an employee was providing stolen intellectual property [IP], including code relating to our activation process, to a third party who, in turn, had a history of trafficking for profit in this type of material. In order to protect our customers and the security and integrity of our products, we conducted an investigation over many months with law enforcement agencies in multiple countries. This included the issuance of a court order for the search of a home relating to evidence of the criminal acts involved. The investigation repeatedly identified clear evidence that the third party involved intended to sell Microsoft IP and had done so in the past."

Likely anticipating customers and privacy advocates might be unnerved by the fact that it dipped into its own servers despite the probable cause of the alleged criminal activity, Frank said Microsoft is stepping up its policies for the way it handles such discovery in the future. "While our actions were within our policies and applicable law in this previous case, we understand the concerns that people have," he said.

Moving forward, he said Microsoft will not search customer e-mail or other services unless there's evidence of a crime that would justify a court order. In addition, Microsoft will turn to a former judge who will now determine if the probable cause would justify a court order and even in those instances, the searches would be limited to searching for the information centered around the suspected activity, not other data, and that it would be supervised by counsel.

To ensure transparency, Microsoft will publish whatever searches it has conducted as part of its biannual transparency reports, he said. "The privacy of our customers is incredibly important to us," he said. "That is why we are building on our current practices and adding to them to further strengthen our processes and increase transparency."

Will appointing a judge to evaluate the merits of the case be enough to settle your concerns that the company won't be looking at your data? Leave your comments below or e-mail me directly.